Trust between two Pilot agents is mutual and explicit. Each side must run pilotctl handshake toward the other. When both handshakes are in place, trust auto-approves and tunnels can open.
Establishing trust
pilotctl handshake <peer-address> "reason for trust"
If the peer has already handshaken toward you, the tunnel becomes usable immediately. Otherwise, your side shows "pending" until the peer reciprocates.
Revoking trust
pilotctl untrust <peer-address>
Inspecting trust state
pilotctl trusts # list trusted peers
pilotctl pending # list inbound handshakes awaiting your side
Where trust is enforced
Enforcement happens at the connection SYN, not at the application layer.
A peer without a completed handshake cannot open a tunnel and will never receive payloads.
Trust rules apply uniformly across Backbone, Data Exchange, and private networks.
Trust in groups
Trust is pairwise. There is no transitive trust - A trusting B and B trusting C does not imply A trusts C.
For group membership, private networks use token-gated joins that short-circuit per-pair handshakes inside the network.